ii.H.R.2752 Author,
Consumer and Computer Owner Protection and Security (ACCOPS) Act of 2003: “To
encourage the development and distribution of creative works by enhancing
domestic and international enforcement of the copyright laws, and for other
purposes.”

iii.S.2048 Consumer
Broadband and Digital Television Promotion Act (CBDTPA): “A bill to regulate
interstate commerce in certain devices by providing for private sector
development of technological protection measures to be implemented and enforced
by Federal regulations to protect digital content and promote broadband as well
as the transition to digital television, and for other purposes.”

iv.H.R.2517 Piracy
Deterrence and Education Act of 2003: “To enhance criminal enforcement of the
copyright laws, educate the public about the application of copyright law to
the Internet, and clarify the authority to seize unauthorized copyrighted
works.”

vi.H.R.5211 To amend title 17, United States Code, to limit the liability of
copyright owners for protecting their works on peer-to-peer networks: “Amends
Federal copyright law to protect a copyright owner from liability in any
criminal or civil action for impairing, with appropriate technology, the
unauthorized distribution, display, performance, or reproduction of his or her
copyrighted work on a publicly accessible peer-to-peer file trading network, if
such impairment does not, without authorization, alter, delete, or otherwise
impair the integrity of any computer file or data residing on the computer of a
file trader.”

d.Offering monetary
rewards for “information leading to...”

e.Denial of Service
attacks on P2P networks

f.Napster-era file
hashes

g.Flooding networks
with fake files

h.Software written
to sabotage P2P networks and computers downloading copyrighted music

i.H.R.107 Digital
Media Consumers' Rights Act (DMCRA) of 2003: “To amend the Federal Trade
Commission Act to provide that the advertising or sale of a mislabeled
copy-protected music disc is an unfair method of competition and an unfair and
deceptive act or practice, and for other purposes.”

ii.H.R.69 Online Privacy Protection Act of 2003: “To require the Federal
Trade Commission to prescribe regulations to protect the privacy of personal
information collected from and about individuals who are not covered by the
Children's Online Privacy Protection Act of 1998 on the Internet, to provide
greater individual control over the collection and use of that information, and
for other purposes.”

iii.S.563 Computer Owners’ Bill of Rights.
“To protect owners of computers, and for other purposes.”

iv.H.R.1066 BALANCE
Act of 2003 (Benefit Authors without Limiting Advancement or Net Consumer
Expectations) (formerly H.R.5522 Digital Choice and Freedom Act of 2002): “To
amend title 17, United States Code, to safeguard the rights and expectations of
consumers who lawfully obtain digital entertainment.”

v.S.692 Digital
Consumer Right to Know Act of 2003. “To require the Federal Trade Commission to
issue rules regarding the disclosure of technological measures that restrict
consumer flexibility to use and manipulate digital information and
entertainment content.”

vi.H.R.48 Global Internet Freedom Act:
“Establishes in the International Broadcasting Bureau the Office of Global
Internet Freedom to develop and implement a comprehensive global strategy to
combat state-sponsored and state-directed Internet jamming and persecution of
those who use the Internet.”

vii.H.R.3159 Government
Network Security Act of 2003: “To require Federal agencies to develop and
implement plans to protect the security and privacy of government computer
systems from the risks posed by peer-to-peer file sharing.”

VI.Proactive methods
and technologies to protect against network surveillance

Numerous methods are used by
copyright holders in an effort to protect their Intellectual Property (IP) rights.
In many cases those methods intrude on the real and perceived rights of
Internet users to participate in private communications. This begs the
question: at what point does privacy lose out against aggressive enforcement
toward possible IP-infringing activities such as peer-to-peer file sharing?
There is a monetary value attached to IP, and it is measured by the loss of
potential revenue. There is also a value attached to an Internet user’s
privacy, of which the loss is measured by the chilling effects imposed upon
their online freedoms. There are many methods available for copyright holders
to protect IP using Digital Rights Management that do not interfere with the
privacy rights of individuals. While it has been shown that a few technologies
such as peer-to-peer (P2P) and Instant Messaging facilitate IP-infringing
activities, there are also many acceptable uses for these technologies. An
example of a law that has privacy implications is the Digital Millennium
Copyright Act (DMCA). This law has been the basis for many recent non
copyright-related lawsuits. Copyright holders are connecting to the largest P2P
networks and filing subpoenas with Internet Service Providers to obtain
personal information about potential IP infringers. This leads to a loss of the
expectation of privacy that Internet users are accustomed to. If the copyright
holders electronically enter the hard drives of P2P users they may be held
liable for possible trespass to chattels
or other legalities. These actions deprive the P2P user of their due process
rights and the expectation of innocence. Recognizing that copyright holders
such as the Recording Industry Association of America (RIAA) may be too zealous
in their detection methods, Senator Norm Coleman (R-MN) has begun proceedings
to investigate the privacy implications of their information-gathering
procedures. In addition, several bills have been introduced in an effort to
curb the misuse of the DMCA. Before these new laws and amendments take effect,
P2P users will need to take steps to protect their privacy from the detection methods
employed by copyright holders such as the RIAA and its subsidiaries.

Background

The passage into law of the Digital Millennium Copyright Act (DMCA)
in October 1998 has affected the balance between consumers’ right to use of
resources, and copyright holders’ desire to control their property. This was a
direct result of the creation of file-sharing software Napster by University of Michigan student Shawn Fanning in 1999 [6]. The Recording
Industry Association of America (RIAA) has filed thousands of subpoenas and
instigated hundreds of lawsuits against peer-to-peer (P2P) software users in an
attempt to prevent the illegal online sharing of their intellectual property
(i.e. music files). This conflict between content owners and content users is
occurring due to the differing values attributed to the Intellectual Property
(IP) of copyright holders versus consumers’ freedom to use purchased material
in any method they wish. Music-purchasing customers are discovering that the implementation
of certain Digital Rights Management (DRM) components in music CD’s prevents
“fair use” of those works. A recent marketing attempt to distribute
copy-protected music compact discs met with failure due to consumers’ inability
to play them in their cars and computers; they had lost the freedom to use their
purchased material as desired. The technical methods employed by this DRM were
bypassed by customers with only a felt marker [5]. This example demonstrated to
the industry that even highly technical DRM methods are not foolproof.

Section 107 of the Copyright
Act of the United States defines a four-factor test for the fair use of IP, generally applied by the
courts (when necessary) on a case-by-case basis:

the
purpose and character of the use, including whether such use is of a
commercial nature or is for nonprofit educational purposes;

the
nature of the copyrighted work;

the
amount and substantiality of the portion used in relation to the
copyrighted work as a whole;

the effect
of the use upon the potential market for, or value of, the copyrighted
work [4]

Historically, consumers have
been able to legally make a copy of a VHS movie, and even software, for
archival backup purposes. With new DRM processes and shrink-wrap licenses that
capability can be prevented by the copyright holder, thus preventing fair use
of the content. Recent court cases have upheld the legality of shrink-wrap
licenses preventing the reverse-engineering of software [7], which is a
programming technique used to enable market competition and product
interoperability. You may be held liable for numerous offenses by reverse-engineering
the protection on any DRM in an attempt to bypass or remove the protection to
allow saving the content in a new format or simply backing it up.

Each of these mediums (music
files, movie files, and electronic books) presents unique challenges to DRM
systems. Adobe introduced an encryption scheme based on their Portable Document
Format (PDF) to protect books converted into an electronic version. This “e-Book”
design [8] used a weak password algorithm [9] to encrypt the contents of the
book. This same technique was used to embed software tokens in the data stream
which selectively enabled or disabled the ability to print out or copy the
file. A company in Russia reverse-engineered this algorithm and began marketing
a product [21] to break this protection. Simultaneously, it was discovered that
by using a common open-source PostScript-management product one could remove
these embedded tokens and some forms of file protection as well. This example
demonstrates that the laws in the United States may not be enforceable in different countries such as
Russia, where it is legal to sell copy-protection removal software.

IM and P2P

Both Instant Messaging (IM)
and Peer-to-Peer file sharing have significant legal uses such as personal file
sharing, archival software backup, commercial software support, and anonymous
discussion, none of which infringe on any copyrights. IM technology provides
the privacy necessary for the freedom of expression and debate of personal and
sensitive issues within the Internet community. This anonymous method of
communication is what has allowed the Internet to be widely regarded as having
freedom from undesirable intrusions. The Supreme Court has consistently afforded
first amendment protection to the anonymous posting of comments and “whistle
blowing”: “Under our Constitution,
anonymous pamphleteering is not a pernicious, fraudulent practice, but an
honorable tradition of advocacy and of dissent. Anonymity is a shield from the
tyranny of the majority.” [1]

In Reno v. ACLU the Court further upheld anonymous free speech and updated
their earlier decision to include the Internet:

“Through the
use of chatrooms, any person with a phone line can become a town crier
with a voice that resonates farther than it could from any soapbox. Through the use of webpages, mail exploders,
and newsgroups, the same individual can become a pamphleteer.” [2] In the conclusion of this case, the Court added: “As a matter of constitutional tradition, in
the absence of evidence to the contrary, we presume that governmental
regulation of the content of speech is more likely to interfere with the free
exchange of ideas than to encourage it. The interest in encouraging freedom of
expression in a democratic society outweighs any theoretical but unproven
benefit of censorship.” [ibid]

Morpheus (a
popular P2P client application) was sued for failing to prevent the
IP-infringing uses of its software by customers. They won a motion for summary judgment
primarily based on the decision in Sony
v. Universal Studios (the famous Betamax
case) where the Supreme Court declared: “…the
mere capability of substantial
noninfringing uses is all that is required to protect a new technology from an
attack grounded on allegations of contributory copyright infringement.” [37]
(emphasis mine)

Separately, in MGM v. Grokster (a case hinging on the
possible requirement of a software company to produce a product that prevents
infringing uses) the Court followed up with a similar decision:

“The doctrine of vicarious infringement does
not contemplateliability based upon the fact that a
product could be made suchthat it is less susceptible to unlawful
use, where no control overthe user of the product exists.” [MGM v. Grokster, 259 F. Supp. 2d at 1045-46 (emphasis in original).] Additionally
the Court said: “It is no surprise that –
just as the studios initially resisted video tape rather than releasing
prerecorded tapes – the established record and movie companies have resisted opportunities
to exploit peer-to-peer technology. When one entirely dominates the existing
means of distribution, one tends to resist change.” [38]. The Court further
states: “In the caseof the music and motion picture industries, permitting
the incumbent leadersto suppress disruptive technologies will
leave not just society, but copyrightowners
themselves poorer over the long run.”
[39]

These court cases have shown
that the judicial branch of our government is more savvy than anticipated. It
is important to note that the future
use of a product must be contemplated while determining if an infringing
activity is taking place. An analogous case involving a P2P product named Madster (formerly
Aimster) was
lost because the defendant (Madster) used examples with copyrighted music files in their
program documentation tutorials and also failed to produce any evidence of significant
non-infringing product usage.

In an activity related to freedom
of speech, the Sarbanes-Oxley Act of 2002
(as passed by the Senate, titled: Public
Company Accounting Reform and Investor Protection Act of 2002) [10] which
became law in the wake of the Enron debacle gives significant protection to
whistleblowers. More recently a June 24, 2003, 9th Circuit Court of Appeals decision
gave §230(c) of the Communications Decency Act [3] more
protection to anonymous Internet posters than the First Amendment [ibid] and
directly addressed “CyberSLAPP” lawsuits (Strategic
Lawsuits Against Public Participation) [12] which attempt to prevent public
criticism of companies and individuals. These “CyberSLAPP”
lawsuits have been consistently dismissed by the courts, yet the newly-elevated
subpoena provision of the DMCA allowed corporations and powerful citizens to
issue similar “John Doe”-like subpoenas and thereby circumvent this trend, but
only if the ISP actually stores the copyrighted materials on their servers and
doesn’t just act as a conduit for P2P network activity. [32]

In an attempt to subjugate
the anti-P2P actions of the RIAA, MPAA, and similar agencies, Sharman Networks,
the creators of the KaZaA file-sharing software,
modified their End-user License Agreement (EULA) in October 2003 to provide for
their indemnification from any illegal or improper use of their software and
network by end users:

2.11 Monitor traffic or make search requests in order
to accumulate information about individual users; […]

2.14 Collect or store personal data about other users [55]

They also added verbiage that
attempts to prevent the use of their software and network for the purpose of
discovering or tracking users’ identities. Historically the courts have upheld
shrink-wrap licenses, and it will be interesting to see if this new tactic
holds up when it is challenged in the current court case wherein Sharman is
suing the record labels and movie studios [56].

Detection Methods

I will concentrate on the
current actions employed by the RIAA in their attempt to detect infringing uses
of copyrighted materials. The RIAA has retained several companies such as MediaSentry, Cyveillance, BayTSP, and Vidius to broaden their detection and
data mining capabilities. Possible detection steps [23] employed by the RIAA
and its hired tracking firms are as follows:

Use automated software agents known as “bots” to
scan popular P2P networks for potentially-infringing file trading of
copyrighted material;

Once a probable list of files is located,
download a certain number for later manual verification by a human;

Each file will have a checksum computed and
compared to a database of Napster-traded music file hashes (dating back to
May 2000) searching for a possible match;

The RIAA then prepared a DMCA discovery subpoena for
the Internet Service Provider (ISP) in preparation for future legal action
against the P2P user. Due to bad publicity they also started sending out
letters to each suspected infringer with a settlement offer in lieu of
court action.

Recently, the RIAA suffered a
setback in their subpoena campaign when a Federal district court overturned a
lower court’s decision on the DMCA subpoena process, stating that the DMCA was passed
by Congress before P2P technology existed thus that activity is exempted from
the subpoena provision [32]. Now they have the added expense of filing an
actual “John Doe” lawsuit against the suspected offender, which then legally
allows them to subpoena the ISP for any requested information on that IP
address. Putting a twist on the outcome, RIAA president Cary Sherman stated
this was an unfortunate event, since it now prevents them from sending letters
to the people prior to filing a lawsuit against them.

This automated method is in addition to the
brute-force approach of simply logging on to the P2P network with a compatible
file-sharing program and searching for potentially-infringing material. In a white
paper dated September 11, 2000, titled To Catch a Cyber Thief Arlington,
Virginia-based Cyveillance introduces
a system of Intellectual Property Protection Solutions they call NetSapien™ Technology:
”the most powerful business
search and analysis tool available” which spiders the billions of web pages on
the Internet for relevant content and assesses the meaning of that information
for marketing intelligence, customer and brand loyalty [11]. This technology
makes searching for unauthorized copies of intellectual property much smarter
than blindly doing a keyword lookup on a web search engine [ibid].

A similar approach is employed by Los Gatos,
California-based BayTSP; however they
go further by actually sending infringement notices to the user and their ISP
as well as monitoring for compliance of takedown notices (international
infringement notification complies with the Berne Convention.) [24] The
automated system runs 24x7 and according to their website “monitors all major
P2P networks … global surveillance of the Internet, including web sites, FTP
sites, P2P networks, IRC sites, newsgroups, and auction/retail sites.” [25] “BayTSP
has patented technology that utilizes the extracted DNA of a specific digital
file - still image, video, audio, etc.- which its spiders track on the
Internet, FTP sites, peer-to-peer networks, IRC, Usenet, and auction/retail
sites.” [ibid]

MediaSentry,
a New York-based corporation, also scans the Internet looking for pirated
copies of music and videos:

MediaSentry is one of the
most hated anti-P2P companies because they actively inject spoofed decoy files
on P2P nodes while simultaneously downloading every available infringing file
to prevent their download by other file sharers.

In a 75-page, 2001 study
titled “The Copyright Crusade” Viant Media and
Entertainment CTO Frank Andrew explored the influence of P2P file sharing
on the business models of copyright holders [27]. His findings suggested that
piracy and copyright infringement via the Internet are runaway activities that
must be curtailed soon by copyright holders, and he offers some rudimentary
statistics on several methods of Internet file trading such as common P2P
clients and the use of Internet Relay Chat (IRC) channels. He concludes that
using IRC is not easy for the majority of Internet customers, yet 22% of daily pirated
movies pass through IRC servers [ibid]. So far, IRC has remained under the
radar of the RIAA, MPAA, and their partners but that is certainly going to
change soon.

Enforcement

The Digital Theft Deterrence and Copyright Damages Improvement Act of 1999
amended §504(c) of the U.S. Copyright Act to allow for fines of
$750 to $30,000 per infringing act and up to $150,000 per each willful infringement (up to $250,000 per
work for repeat offenders) [13]. The
DMCA contains a safe-harbor provision that protects ISP’s from legal action if
they willingly and promptly comply
with subpoena requests. This has led to the ISP capitulating rather than risking
criminal penalties, with a resultant loss of privacy and anonymity for their
customers. Verizon Internet Services recently attempted to quash an RIAA
subpoena seeking the identity of a subscriber who allegedly downloaded over 600
copyrighted music files via the KaZaA P2P network [22]. Verizon cited privacy,
First Amendment, and due process issues, as well as the fact that Congress
never considered P2P technology when drafting the DMCA “because that technology did not exist in 1998” [14]. The motion to
quash was denied by the district court, but on appeal, and after another DMCA
subpoena was served upon Verizon, the appeals court overturned those decisions
and found for Verizon, calling portions of the RIAA’s argument “silly”:

“The issue is whether § 512(h) applies to an
ISP acting only as a conduit for data transferred between two internet users,
such as persons sending and receiving e-mail or, as in this case, sharing P2P
files. Verizon contends § 512(h) does not authorize the issuance of a subpoena
to an ISP that transmits infringing material but does not store any such
material on its servers. The RIAA argues § 512(h) on its face authorizes the
issuance of a subpoena to an “[internet] service provider” without regard to
whether the ISP is acting as a conduit for user-directed communications. We
conclude from both the terms of § 512(h) and the overall structure of § 512
that, as Verizon contends, a subpoena
may be issued only to an ISP engaged in storing on its servers material that is
infringing or the subject of infringing activity. […] Finally, the RIAA argues
the definition of ‘[internet] service provider’ in § 512(k)(1)(B)
makes § 512(h) applicable to an ISP regardless what function it performs with
respect to infringing material – transmitting it per § 512(a), caching it per §
512(b), hosting it per § 512(c), or locating it per § 512(d). This argument
borders upon the silly. […] In sum, we agree with Verizon that § 512(h)
does not by its terms authorize the subpoenas issued here. A § 512(h) subpoena simply
cannot meet the notice requirement of § 512(c)(3)(A)(iii).
[…] We are not unsympathetic either to the RIAA’s concern regarding the
widespread infringement of its members’ copyrights, or to the need for legal
tools to protect those rights. It is not
the province of the courts, however, to rewrite the DMCA in order to make it
fit a new and unforseen[sic] internet architecture, no matter how damaging that development
has been to the music industry or threatens being to the motion picture and
software industries.” [32] (emphasis mine)

Per the decision above it is
no longer appropriate for the RIAA to send discovery subpoenas to ISP’s
requesting file sharing customers’ contact information when the ISP’s are
merely acting as a conduit for P2P network traffic [ibid]. This is perhaps
unfortunate, since it implies that the DMCA will soon have a large sum of
“special interest” money thrown at it in an effort by large corporations to
have this particular shortcoming amended.

Several bills have been independently
introduced by the House and Senate to further protect the interests of big
business IP owners and copyright holders from piracy and infringing uses of
their property:

H.R.2752: Author, Consumer and Computer Owner
Protection and Security (ACCOPS) Act of 2003: “To encourage the
development and distribution of creative works by enhancing domestic and
international enforcement of the copyright laws, and for other purposes.” [33]
This bill, introduced in the House by John Conyers (D-MI) and Howard
Berman (D-CA), makes a federal offense out of providing false information
when registering a domain name, and in an attempt to prevent consumers’
computers from being searched without their knowledge it requires that file-sharing
sites get consent before storing files on a computer or searching for
content. It proposes penalties of up to five years in prison and a
$250,000 fine for uploading a copyrighted file to a P2P network and also bans
videotaping a movie in a theater. Pop singer Michael Jackson, among
others, disagrees with this, stating “I
am speechless about the idea of putting music fans in jail for downloading
music. It is wrong to illegally download, but the answer cannot be jail...It
is the fans that drive the success of the music business; I wish this
would not be forgotten.” [34]

H.R.2517: Piracy Deterrence and Education Act of
2003: “To enhance criminal enforcement of the copyright laws, educate the
public about the application of copyright law to the Internet, and clarify
the authority to seize unauthorized copyrighted works.” [36] This Act purports
to create an educational program to inform citizens of the benefits of the
copyright system in America, as well as inform educational institutions
and corporations of copyright law compliance. The FBI would be required to
develop a program to deter citizens from copyright infringement. The
Department of Justice would be required to hire and train at least one
agent specializing in intellectual property crime investigation. Finally,
the Bureau of Customs and Border Protection would be authorized to seize
all infringing works regardless of whether they have been registered with
the Copyright Office. The problem with these requirements is one of
training and interpretation of the law. None of these programs has a
clause requiring knowledge of the difference between legal and illegal
uses of copyrighted works, the so called “fair use” clause of the
Copyright Act. If this is not attended to, there will be more harm caused
by the improper seizure of works than good.

H.R.2885 Protecting
Children from Peer-to-Peer Pornography Act of 2003: “To prohibit the
distribution of peer-to-peer file trading software in interstate commerce.”
[40] The supporters of this bill believe that since P2P software is so
popular, and since there is so much pornography being traded, then
children need to be protected from inadvertently downloading it because
the “production of pornography is
intrinsically related to child abuse.” [ibid] Also, supporters believe
that P2P software gives free and open access to users’ hard drives and
most users do not realize this. Aside from the obvious flaws in this
logic, there are more problematical issues at stake. The Act contains a
requirement that all P2P software installation programs must look for and
comply with a parental “do-not-install” flag on the computer, if it
exists. This may not be feasible to implement, and most certainly would be
easy to circumvent by most teenagers. There is also a requirement that the
P2P software alert the user to any action that might breach their privacy
or allow others to view files on their computer. Such activities include:
bypassing personal firewall software, becoming a high-speed file sharing supernode on a P2P network, or even searching for
available files to download. All of these mandated alerts would prove to
be extremely burdensome to the average software user. The final
requirement would be that non-U.S. residents that distribute P2P software
must have a U.S. agent designated for process service. Since every popular
P2P program has been written by either an individual or a non-commercial
group, and most are off-shore, this would be a financial burden.

H.R.5211 To amend title
17, United States Code, to limit the liability of copyright owners for protecting
their works on peer-to-peer networks: “Amends Federal copyright law to
protect a copyright owner from liability in any criminal or civil action
for impairing, with appropriate technology, the unauthorized distribution,
display, performance, or reproduction of his or her copyrighted work on a
publicly accessible peer-to-peer file trading network, if such impairment
does not, without authorization, alter, delete, or otherwise impair the
integrity of any computer file or data residing on the computer of a file
trader.” [41] This resolution attempts to make it legal for anyone to
launch a Denial of Service (DoS) attack against
a P2P network without repercussion if they believe that their copyrighted
material is being traded over that network. Proponents state this is akin
to making every copyright holder a judge, jury, and executioner without
proper judicial oversight. Again, there is no way for the copyright holder
to know for what purpose their works are being downloaded, since fair-use
is permitted within certain guidelines.

Anti-P2P Actions and Detection

The RIAA and its hired tracking
firms have several options at their disposal if they wish to lessen or prevent
copyrighted content from being traded over P2P networks. It is known that some
of the following techniques are currently being used or might be used soon, and
at least one is being prepared for use:

Offering monetary rewards for “information
leading to the identification of...”

Denial of Service attacks against P2P networks in
an attempt to make them unusable

Using “original” Napster file hashes for
comparison of traded music files with known pirated copies

Using software written to sabotage P2P networks
and the computers downloading copyrighted music [15]

Embracing the technology and building a viable
business model around it instead of alienating customers

If the RIAA or its agents
access a P2P network with the intent to either flood the network with fake
multimedia files or otherwise perform a denial of service action, they could be
liable to a civil lawsuit under the “trespass to chattels” common law. This
intentional tort (a wrongful act…that
injures another and for which the law imposes civil liability) [18] is defined
as: “…an intentional interference with a
plaintiff's right of possession to personal property. This may occur if a
defendant damages the property or deprives the plaintiff of possession of the
property.” [19]

The use of software [15]
written specifically to disrupt network communications or personal computers
engaged in same may also fall under the trespass
to chattels tort. This angle has yet to be explored in court.

Constitutional issues might
also arise. The Fifth Amendment to the Constitution of the United States of America contains the following text:

“No person shall … be deprived of life, liberty,
or property, without due process of law; [The Fifth Amendment] can be
asserted in any proceeding, civil or criminal, administrative or judicial,
investigatory or adjudicatory; and it protects against any disclosures which
the witness reasonably believes could be used in a criminal prosecution or
could lead to other evidence that might be so used.” [20]

The “Due Process” clause affords
many rights to the individual, yet the subpoena provision of the DMCA does not
take those rights into account.

The methods employed by the
RIAA for detecting materials being downloaded by web and P2P users, in
conjunction with the associated presumption of guilt, intrude upon the privacy
expectations of Internet patrons with the loss of online privacy and anonymity
as a result. Some of these methods have been mentioned previously.

The issuance of subpoenas to
a P2P-user’s ISP for possibly-infringing file trading activities, in the
absence of solid evidence, could be construed as a privacy invasion. If it is
later determined that no laws were in fact broken, the loss of anonymity, public
integrity, and time spent dealing with the actions of the RIAA can not be regained.
There is also no guarantee that the ISP will be able to identify the actual
person who is performing the action. All they can potentially do is confirm
that the logged-in account’s computer was connected at the time specified in
the subpoena.

The subpoena process specified
in the DMCA runs contrary to the accepted procedure known in legal circles as “Rule 45” (of the Federal Rules of Civil Procedure) which
states: “If separate from a subpoena
commanding the attendance of a person, a
subpoena for production or inspection shall issue from the court for the
district in which the production or inspection is to be made.” [16] (emphasis
mine)This is how both Massachusetts
Institute of Technology and Boston College successfully quashed the subpoenas from
the RIAA attempting to obtain the identities of several students alleged to be
conducting illegal file sharing [17]. In response, the RIAA simply filed the
subpoenas again in the state of Massachusetts. Now that the DMCA subpoena
process has become unenforceable for P2P network traffic, the media companies
are going to have to find a new method for detecting the owners of any IP
addresses suspected of trading copyrighted materials across P2P networks.

Legislation

Congress has recognized the
problem of maintaining citizens’ online anonymity and privacy, and has been
proposing legislation that appears to begin the process of balancing property
holders’ and users’ rights. The most vocal proponent is Senator Norm Coleman (R-MN)
who recently sent a letter to the RIAA [42] asking for the specific methods they
use to identify illegal file sharing and what safeguards are in place to
protect P2P users’ privacy. The RIAA responded to the request quickly [43]. This
action was initiated due to the voluminous number of subpoenas the RIAA has
filed in Washington D.C., currently holding at 382, which required extra court
clerks to process the enormous tide of paperwork [42]. Each piece of proposed
legislation has pros and cons, but all are designed to more equitably balance
copyright law and empower the consumer with knowledge and rights. Senator Coleman
is also holding congressional hearings in an effort to lessen the bludgeoning
of citizens by the RIAA.

The House of Representatives
has the following items on the table:

H.R.107 Digital Media Consumers' Rights Act
(DMCRA) of 2003: “To amend the Federal Trade Commission Act to provide
that the advertising or sale of a mislabeled copy-protected music disc is
an unfair method of competition and an unfair and deceptive act or
practice, and for other purposes.” [44] This bill attempts to correct two
things: 1. it directs the FTC to ensure the proper labeling of
copy-protected music CD’s to help avoid consumer confusion and
disappointment prior to purchase; 2. it restores balance in U.S. Copyright
Law. It reaffirms fair-use under the DMCA by allowing the circumvention of
a protection mechanism as long as no copyright infringement is taking
place. The BetaMax standard (Sony v. Universal)
would be reaffirmed by enabling the use, manufacture, and distribution of
software and hardware that bypasses protection mechanisms as long as it is
capable of significant non-infringing uses. Finally, scientific research
into methods of bypassing protection mechanisms other than encryption would
be protected, as well as the creation of tools to facilitate such
research.

H.R.69 Online Privacy
Protection Act of 2003: “To require the Federal Trade Commission to
prescribe regulations to protect the privacy of personal information
collected from and about individuals who are not covered by the Children's
Online Privacy Protection Act of 1998 on the Internet, to provide greater
individual control over the collection and use of that information, and
for other purposes.” [45] All online
service and web site operators will be held accountable for any privacy
leaks which occur as well as having to release a list, upon demand, of all
persons and companies to whom they have released any personally
identifiable information on a customer. A violation will be treated under
the Federal Trade Commission Act as “a violation of a rule defining an
unfair or deceptive act or practice” [ibid].

H.R.1066 BALANCE Act of 2003 (Benefit Authors
without Limiting Advancement or Net Consumer Expectations) (formerly H.R.5522
Digital Choice and Freedom Act of 2002): “To amend title 17, United States
Code, to safeguard the rights and expectations of consumers who lawfully
obtain digital entertainment.” [46] This bill amends the Copyright Law in
several areas:

“(1) include analog or digital transmissions
of a copyrighted work within fair use protections; (2) provide that it is not a
copyright infringement for a person who lawfully obtains or receives a
transmission of a digital work to reproduce, store, adapt, or access it for
archival purposes or to transfer it to a preferred digital media device in
order to effect a non-public performance or display; (3) allow the owner of a
particular copy of a digital work to sell or otherwise dispose of the work by
means of a transmission to a single recipient, provided the owner does not
retain his or her copy in a retrievable form and the work is sold or otherwise
disposed of in its original format; and (4) permit circumvention of copyright
encryption technology if it is necessary to enable a non-infringing use and the
copyright owner fails to make publicly available the necessary means for
circumvention without additional cost or burden to a person who has lawfully
obtained a copy or phonorecord[sic] of a work, or lawfully received a
transmission of it.” [47]

“Establishes in the International
Broadcasting Bureau the Office of Global Internet Freedom to develop and
implement a comprehensive global strategy to combat state-sponsored and
state-directed Internet jamming and persecution of those who use the Internet.
Requires an annual report from the Office to Congress on the status of state
interference with Internet use and of U.S. efforts to
counter such interference. Expresses the sense of Congress that the United
States should: (1) denounce governments that
restrict, censor, ban, and block access to information on the Internet; (2)
direct the U.S. Representative to the United Nations to submit a resolution
condemning such actions; and (3) deploy technologies aimed at defeating
state-directed Internet censorship and the persecution of those who use the
Internet.” [49]

H.R.3159 Government Network Security Act of 2003:
“To require Federal agencies to develop and implement plans to protect the
security and privacy of government computer systems from the risks posed
by peer-to-peer file sharing. Requires the Comptroller General to review
and report to specified congressional committees on the adequacy of such
agency plans.” [50]

The Senate has not been
sitting idle either; they have introduced these relevant bills:

S.563 Computer Owners’
Bill of Rights: “To protect owners of computers, and for other purposes.” [51]

“Requires the Federal Trade Commission (FTC)
to: (1) establish standards for the provision of technical support for
computers and computer-related products by computer hardware and software
manufacturers, as well as consultants and resellers that provide technical
support (entities); (2) issue guidelines to encourage each such entity to
collect and submit to the FTC information on the nature and quality of such
technical support; and (3) establish a public registry in which any person or
entity that does not seek to receive unsolicited marketing e-mail to a computer
may register the e-mail address(es) of such computer
for that purpose. Prohibits unsolicited marketing e-mail to registered
computers.” [52]

S.692 Digital Consumer Right to Know Act of 2003:
“To require the Federal Trade Commission to issue rules regarding the
disclosure of technological measures that restrict consumer flexibility to
use and manipulate digital information and entertainment content.” [53]
This bill:

“Directs the Federal Trade Commission (FTC)
to issue rules to implement requirements that a producer or distributor of
copyrighted digital content disclose the nature of restrictions that limit the
practical ability of the content purchaser to play, copy, transmit, or transfer
such content on, to, or between devices commonly used with respect to that type
of content. Requires such disclosure in the case of limitations on: (1) the
recording for later viewing or listening of certain audio or video programming;
(2) the reasonable and noncommercial use of legally acquired audio or video
content; (3) making backup copies of legally acquired content subject to
accidental damage, erasure, or destruction; (4) using limited excerpts of
legally acquired content; and (5) engaging in the secondhand transfer or sale
of legally acquired content. Provides disclosure exceptions. Requires the FTC
to annually review the effectiveness of such rules. Expresses the sense of
Congress that: (1) competition among distribution outlets and methods generally
benefits consumers; and (2) copyright holders selling digital content in
electronic form for distribution over the Internet should offer to license such
content to multiple unaffiliated distributors.” [54]

Many of these bills are
currently wending their way through the House and Senate, and hopefully most
will be ratified. This would be a boon for American consumers and go a long way
toward bringing balance back to the application of Copyright Law.

Preventing the Loss of Privacy and Anonymity

Several methods exist to reduce the privacy loss
facilitated by automated methods of search and discovery. Each of the following
techniques exhibits both strengths and weaknesses against certain types of
surveillance and monitoring techniques:

1.Conversion of text file lists into graphic images to bypass
automated filename detection: The automated scanning of P2P networks can be
reduced or even eliminated by conversion of available file lists into graphic
images instead of plain text. This simple action would greatly increase the
amount of human interaction required to visually confirm downloads. This might
mean that existing P2P software or even the underlying network protocols will
need to have major reworking in order to maintain ease of use for customers. Instead
of connecting to a potential download client and receiving a plain text list of
files in their shared folders, the P2P software will need to display a graphic
image of the user’s available files. Compiler libraries exist to facilitate the
creation of .GIF images in real time (that image format is now royalty free
since June 20, 2003 [28]).
This will prevent bots from scanning for potentially-infringing multimedia
files on P2P networks, forcing humans to perform the search instead. This
technique will not stop unwanted file list perusal or P2P network privacy
incursions but it will certainly slow them down.

2.P2P file lists employing anti-bot
images requiring manual user interaction to download: This technique is
already in use today by web-based email providers like Hotmail and Yahoo! mail,
which require a person to type in the value displayed by a random graphic
image. This prevents any automated method of bulk account creation, which was
frequently used by spammers. This would be a relatively easy function to
implement in P2P client software, perhaps even being a server-side only
component.

3.Randomize file and subdirectory names via script: For
files sitting on a web or FTP server, web spiders for any search engine may
access directories and their contents, adding them to a central database for
public use. By randomizing the directory names as well as individual file names
this risk is lessened but not entirely prevented. A simple Perl script can not
only rename files and directories, but can also simultaneously update the web
page or FTP links pointing to the files. If a search engine manages to spider
one set of links, they will only remain valid until the next cycle of renaming
occurs. Scheduling this renaming procedure at a high granularity will mitigate
discovery.

4.Tarpits for bots: This technique is easily used against
web-based bots and to a certain extent FTP-based bots. It could also be used
against P2P-based bots on any of the current P2P networks, however this
particular case would require some custom programming to implement (this case
is covered later.) The basic idea behind a tarpit is to create a bunch of
seemingly-real file links, either on a web page or in an FTP directory. When
the bot follows this link, it merely leads to another web page or directory
with another set of seemingly-real links. Each link can easily be randomly
created by using a small database of common file names. This process continues ad
nauseum. Intelligent bots would perform a breadth-first search, limiting
their search depth to a small value such as five in order to prevent being
"trapped" by this technique. However, this idea would still be valid;
the file sharer would simply place the "real" files on the server at
a level just below this artificial search limit, ensuring that the HTTP_REFERER
environment variable points to the final fake directory that was generated in
the current session. For a P2P network honeypot, the search results returned by
the P2P client software would need to be modified to point to a fake set of
filenames which in turn point to another set of fake filenames, etc. By forcing
the P2P client user to enter a one-time password embedded in a graphic image at
program startup, the network could determine if this was an automated bot or a
real human and thus control the link types presented to the client. It is
important to note that this honeypot technique is only valid against automated
methods of file scanning, however there are so many file sharing locations on
the Internet that everyone becomes anonymous simply by sheer numbers.

5.Use of Wi-Fi hotspots for anonymous connections: By using
free wireless network connections for P2P file sharing the user is completely
anonymous and thus immune to potential liability for alleged illegal activities.
Such so-called "hotspots" are located all over: Manhattan's UnionSquarePark [29] in New York is a prime example of such a location. Funded by
several large public and non-profit organizations, this location allows anyone
to simply connect with a wireless-enabled laptop or PDA (802.11b) and use the
Internet by entering the network ESSID and using DHCP for receiving an IP
Address. These areas do not use WEP or any other form of encrypted
communications because that reduces the usefulness of free and open
connectivity for the public. Many fast-food chains like Taco Time and Arby’s as well as coffee houses such as StarBuck’s also offer free
wireless connectivity to the Internet. While a wireless Internet connection somewhat
reduces the usefulness of large file uploading activities due to the limited
bandwidth available, generally about four or five Mbps, the user can certainly download
as much as they want in a single sitting with no fear of being tracked.

6.P2P file sharing software using encrypted communication
protocols: Two different directions can be taken with this technique: using
existing protocols, or rolling your own. The benefit of using your own protocol
is having complete control over every aspect of the data packets. This
generally results in a much faster and secure transfer capability over existing
protocols, yet requires extensive knowledge of low-level protocol programming.
The benefit of using existing protocols such as SSL over HTTPS and SFTP is that
these protocols usually bypass ISP and corporate firewalls. Palestine-based EarthStationV is
one P2P program that uses existing secure protocols to not only connect to
their secure P2P network anonymously, but also allow you to run a secure web
server and private network from your own computer [30].

7.P2P2P proxies: This is similar in concept to anonymous
email “remailer chaining” where all identifying header information is stripped
from the message and forwarded to another remailer, until eventually being
delivered to the recipient. In this case, the data stream for a downloaded file
is split and sent to a random P2P client that forwards this portion of the
download to another random P2P client, until eventually every packet reaches its
destination. Each P2P client will not be downloading a complete file but only
parts of it, and no one knows which client is requesting the file. This might
affect certain legalities of copyright infringement because no single person
ever downloads a complete file. AT&T built a free anonymous web browsing
proxy in 1997 called “Crowds” based on this idea (now defunct), and the U.S.
Navy built an anonymizing network service called “The Onion Routing Project” [31]
also based on this principle. It ran for many years before finally being shut
down on January 28, 2000 at
the end of its proof-of-concept phase:

“The Onion Routing [OR] research project is building an Internet-based
system that strongly resists traffic analysis, eavesdropping, and other attacks
both by outsiders (e.g. Internet routers) and insiders (Onion Routers
themselves). It prevents the transport medium from knowing who is communicating
with whom -- the network knows only that communication is taking place. In
addition, the content of the communication is hidden from eavesdroppers up to
the point where the traffic leaves the OR network. […] Onion routing accomplishes
this goal by separating identification from routing. Connections are always
anonymous, although communication need not be. Communication may be made
anonymous by removing identifying information from the data stream. Onion
routing can be used by a variety of unmodified Internet applications by means
of proxies (non-invasive procedure) or by modifying the network protocol stack
on a machine to be connected to the network (moderate or highly-invasive
procedure).” [ibid]

8.Changing MD5 hashes or CRC32 checksums of multimedia files:
A person only known by the pseudonym nycfashiongirl who decided to challenge her subpoena in a
recent RIAA case prompted an interesting discovery: the RIAA has been
maintaining a large database of MP3 file hashes dating back to the days of the
original Napster file sharing
program. These file checksums are compared against the hashes of
recently-downloaded music files to see if they are identical or not. If the checksums
match, then this file is indistinguishable from one traded on the original Napster network. An obvious solution to
defeating this type of “fingerprinting” is to simply change the file in a method
that impacts the checksum but doesn’t affect the quality of the sound. The
first thing to be done is either eliminate or rewrite the IDv2 or IDv3 info tag
in the music file header, located in a fixed position in the MP3 file. There
are mathematical methods to change certain bits throughout the MP3 file that
affect the file hash yet have no audible affect during playback. A drawback to
this solution is that some P2P networks may use the file checksum to identify a
valid MP3 music file, instead of just by title. By changing this checksum these
P2P networks will need to find another method for identifying known good files
so users don’t waste their time downloading fake or corrupted files.

9.Using darknets: Creating and joining a hidden or “unplugged”
network of P2P clients is probably the most private method of performing file
sharing. Waste [63], MUTE [64], and FreeNet [65] are some proposed
methods for performing this activity. These disconnected networks of peers are
not open to the general Internet, and clients cannot connect without knowledge
of a secret key or password. Thus these “darknets” are highly resistant to
privacy incursions by the RIAA or similar agents. MUTE is one of the newer file sharing clients to appear, and seems
to be highly-resistant to traffic tracing and logging. Each MUTE client generates a unique “virtual
address” upon startup, and only that random ID is returned per client for all
successful search requests. All MUTE
traffic is also encrypted, thus rendering moot any packet sniffing attempts. And
since each request packet (for searches) is routed through a network of peers
only the next neighbor’s IP address could be discovered, which doesn’t matter
because all file transfers are performed directly between peers.

Conclusions

The issues surrounding P2P
file sharing freedoms and DRM are too complicated to offer a quick and simple
solution. As technology becomes more complex and pervasive, it is obvious that
copyright and intellectual property protection laws will always play catch-up. While
copyright infringement runs rampant over the Internet, there exists a need for a
secure DRM technique that also protects an individual’s privacy and allows for
unfettered fair use of protected material. It is perhaps more important that a
user’s fair-use rights be protected than that of a copyright holder’s control
over their material. In this vein, the assumption of guilt for downloading
copyrighted material must be changed to a presumption of innocence by the
copyright holders such as the RIAA, MPAA, and their ilk. Until existing laws
are amended to provide this much needed privacy protection, Internet users will
need to protect themselves.

This protection would best be
implemented as a series of concentric rings or levels around the user. Moving
the privacy protection model from one that is network-based to one client-based
might be a step in the right direction. IP-blocking tools like Peer Guardian and properly-tuned
personal firewall software can prevent unwanted connections from any block of
IP addresses desired. As new addresses to block are discovered they can easily
be added to the blocking rules. Moving a level outward, the actual network
traffic needs to be encrypted and proxies need to be employed so as to prevent
sniffing tactics and name servers from returning useful trace data. Finally, by
simply removing themselves directly off the Internet via the use of darknets,
P2P users can ensure that the weakest link in their file trading hierarchy is
themselves. By allowing only trusted partners into the darknet, they
effectively prevent any outside privacy breaches from occurring. With a
combination of new technology and new protective laws being ratified, the
future of P2P file-sharing remains hopeful.